Skip to content

Commit edf1b9e

Browse files
committed
{FOLD]
1 parent 9c07b42 commit edf1b9e

32 files changed

Lines changed: 14155 additions & 207 deletions

doc/modules/ROOT/pages/2.http-tutorial/2.http-tutorial.adoc

Lines changed: 32 additions & 207 deletions
Original file line numberDiff line numberDiff line change
@@ -9,210 +9,35 @@
99

1010
= Introduction to HTTP
1111

12-
This section covers the fundamentals of HTTP that you need to understand
13-
before using the library. After reading this, you'll know how HTTP sessions
14-
work, what constitutes a message, and what security pitfalls to avoid.
15-
16-
== Sessions
17-
18-
HTTP is a stream-oriented protocol between two connected programs: a client
19-
and a server. While the connection remains open, the client sends HTTP requests
20-
and the server sends HTTP responses. These messages are paired in order—each
21-
request has exactly one corresponding response.
22-
23-
[source]
24-
----
25-
Client Server
26-
| |
27-
|-------- Request #1 ----------------->|
28-
|<------- Response #1 -----------------|
29-
| |
30-
|-------- Request #2 ----------------->|
31-
|<------- Response #2 -----------------|
32-
| |
33-
˅ ˅
34-
----
35-
36-
An HTTP/1.1 session typically proceeds as follows:
37-
38-
1. Client establishes a TCP connection to the server
39-
2. Client sends a request
40-
3. Server processes the request and sends a response
41-
4. Steps 2-3 repeat until either party closes the connection
42-
43-
=== Persistent Connections
44-
45-
HTTP/1.1 connections are persistent by default. The same connection can be
46-
reused for multiple request/response exchanges, avoiding the overhead of
47-
establishing new TCP connections.
48-
49-
A connection is closed when:
50-
51-
* Either party sends `Connection: close`
52-
* An error occurs during parsing or I/O
53-
* A configurable idle timeout expires
54-
* The underlying transport is terminated
55-
56-
=== Pipelining
57-
58-
HTTP/1.1 allows clients to send multiple requests without waiting for
59-
responses (pipelining). Responses must arrive in the same order as requests.
60-
While the protocol supports this, many implementations handle it poorly,
61-
which is why this library parses one complete message at a time.
62-
63-
== Messages
64-
65-
HTTP messages consist of three parts: the start line, the headers, and
66-
an optional message body.
67-
68-
[cols="1a,1a"]
69-
|===
70-
|HTTP Request|HTTP Response
71-
72-
|
73-
[source]
74-
----
75-
GET /index.html HTTP/1.1
76-
User-Agent: Boost
77-
Host: example.com
78-
79-
----
80-
|
81-
[source]
82-
----
83-
HTTP/1.1 200 OK
84-
Server: Boost.HTTP
85-
Content-Length: 13
86-
87-
Hello, world!
88-
----
89-
90-
|===
91-
92-
=== Start Line
93-
94-
The start line differs between requests and responses:
95-
96-
**Request line**: `method SP request-target SP HTTP-version CRLF`
97-
98-
**Status line**: `HTTP-version SP status-code SP reason-phrase CRLF`
99-
100-
The library validates start lines strictly. Invalid syntax is rejected
101-
immediately rather than attempting recovery.
102-
103-
=== Header Fields
104-
105-
Headers are name-value pairs that provide metadata about the message.
106-
Each header occupies one line, terminated by CRLF:
107-
108-
[source]
109-
----
110-
field-name: field-value
111-
----
112-
113-
Important characteristics:
114-
115-
* Field names are case-insensitive (`Content-Type` equals `content-type`)
116-
* Field values have leading and trailing whitespace stripped
117-
* The same field name may appear multiple times
118-
* Order of fields with the same name is significant
119-
120-
The library tracks several headers automatically and enforces their semantics:
121-
122-
[cols="1a,4a"]
123-
|===
124-
|Field|Description
125-
126-
|*Connection*
127-
|Controls whether the connection stays open. Values include `keep-alive`
128-
and `close`. The library updates connection state based on this field.
129-
130-
|*Content-Length*
131-
|Specifies the exact size of the message body in bytes. When present,
132-
the parser uses this to determine when the body ends.
133-
134-
|*Transfer-Encoding*
135-
|Indicates transformations applied to the message body. The library
136-
supports `chunked`, `gzip`, `deflate`, and `brotli` encodings.
137-
138-
|*Upgrade*
139-
|Requests a protocol switch (e.g., to WebSocket). The library detects
140-
this and makes the raw connection available for the new protocol.
141-
142-
|===
143-
144-
=== Message Body
145-
146-
The body is a sequence of bytes following the headers. Its length is
147-
determined by:
148-
149-
* `Content-Length` header (exact byte count)
150-
* `Transfer-Encoding: chunked` (length encoded in stream)
151-
* Connection close (for responses without length indication)
152-
153-
The library handles body framing automatically during parsing and
154-
serialization. You provide or consume the raw body bytes.
155-
156-
== Security Considerations
157-
158-
HTTP implementation bugs frequently lead to security vulnerabilities.
159-
The library is designed to prevent common attacks by default.
160-
161-
=== Request Smuggling
162-
163-
Request smuggling exploits disagreements between servers about where
164-
one request ends and the next begins. This happens when:
165-
166-
* Multiple `Content-Length` headers have different values
167-
* Both `Content-Length` and `Transfer-Encoding: chunked` are present
168-
* Malformed chunk sizes are interpreted differently
169-
170-
The library rejects ambiguous requests. When both `Content-Length` and
171-
`Transfer-Encoding` appear, `Transfer-Encoding` takes precedence per
172-
RFC 9110, and `Content-Length` is removed from the parsed headers.
173-
174-
=== Header Injection
175-
176-
Header injection attacks insert unexpected headers by including CRLF
177-
sequences in field values. The library forbids CR, LF, and NUL characters
178-
in header values—attempts to include them throw an exception.
179-
180-
[source,cpp]
181-
----
182-
// This throws - newlines not allowed in values
183-
req.set(field::user_agent, "Bad\r\nInjected-Header: evil");
184-
----
185-
186-
=== Resource Exhaustion
187-
188-
Attackers can exhaust server memory by sending:
189-
190-
* Extremely long header lines
191-
* Too many header fields
192-
* Enormous message bodies
193-
194-
The library provides configurable limits for all of these. When a limit
195-
is exceeded, parsing fails with a specific error code.
196-
197-
[source,cpp]
198-
----
199-
// Configure limits via parser config
200-
request_parser::config cfg;
201-
cfg.headers.max_field_size = 8192; // Max bytes per header line
202-
cfg.headers.max_fields = 100; // Max number of headers
203-
cfg.body_limit = 1024 * 1024; // Max body size (1 MB)
204-
----
205-
206-
=== Field Validation
207-
208-
Field names must consist only of valid token characters. Field values
209-
must not contain control characters except horizontal tab. The library
210-
validates these constraints on every operation that creates or modifies
211-
headers.
212-
213-
== Next Steps
214-
215-
Now that you understand HTTP message structure and session management,
216-
learn how to work with the library's message containers:
217-
218-
* xref:3.messages/3a.containers.adoc[Containers] — request, response, and fields types
12+
Every time you click a link, a small conversation takes place between
13+
two machines. One asks a question; the other answers it. The language
14+
they speak is HTTP, and it is the most widely used application protocol
15+
on Earth. Billions of requests flow through it every hour--web pages,
16+
images, API calls, video streams--all carried by the same simple
17+
exchange of text messages that Tim Berners-Lee sketched on a notepad
18+
in 1990.
19+
20+
You are about to learn that language from the ground up.
21+
22+
We start with the basics: what HTTP actually is, and how clients and
23+
servers find each other through URLs. From there you will look inside
24+
the messages themselves--their structure, the methods that give them
25+
purpose, and the status codes that report what happened. You will see
26+
how headers quietly orchestrate everything from content types to
27+
caching policies, and how content negotiation lets a single resource
28+
serve different representations to different clients.
29+
30+
Then the picture gets more interesting. You will learn how connections
31+
are opened, reused, and closed--and why getting this right matters more
32+
than most people realize. Caching will show you how the Web avoids
33+
doing the same work twice. Authentication will reveal how identity and
34+
trust are woven into the protocol without breaking its stateless design.
35+
36+
Finally, you will follow HTTP's evolution into its modern forms: the
37+
binary multiplexing of HTTP/2, and the QUIC-based transport of HTTP/3
38+
that eliminates decades-old performance bottlenecks at the transport
39+
layer.
40+
41+
None of this requires prior networking experience. Each section builds
42+
on the last, and by the end you will read raw HTTP traffic the way a
43+
mechanic reads an engine--seeing not just what is happening, but _why_.

0 commit comments

Comments
 (0)